[Solved] pfBlockerNG blocked LAN access to Nest thermostat



  • Problem:

    I first noticed I lost access to the Nest app a few days ago, approx Aug. 8, 2018. The attempts are made on my local network - phone or laptop connected to wifi.

    My setup:

    • pfSense 2.4.3-RELEASE-p1
    • pfBlockerNG 2.1.4_8
    • OpenVPN via PIA east
    • No VLANS
    • DNS 1.1.1.1 and 1.0.0.1

    Troubleshooting steps taken:

    • Reboot router - nope
    • Disable VPN - nope
    • Disable pfBlockerNG - success

    I want pfBlockerNG enabled so I checked the LAN rules.

    Solution:

    I began disabling pfBlockerNG LAN rules one-by-one.

    Once pfB_Asia_v4 was disabled I gained access to home.nest.com.

    Notes and Questions:

    I pinged home.nest.com the IP that comes back is 34.224.19.8 I then check for this IP in the pfB_Asia_v4 list.

    It is NOT on the list.

    Does anyone have any input on why pfB_Asia_v4 blocks home.nest.com? Seems strange and I'm not confident on any conclusion other than it just does.

    pfBlockerNG logs attached.

    0_1534098275063_pfblockerng.txt

    EDIT: added DNS servers used.


  • Netgate Administrator

    home.nest.com comes back as many IPs.

    Where did you resolve it as that?

    What DNS servers are those devices using that lost access to it?

    Steve



  • @jsutt said in [Solved] pfBlockerNG blocked LAN access to Nest thermostat:

    home.nest.com

    dig home.nest.com
    
    ; <<>> DiG 9.12.1 <<>> home.nest.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62974
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 4, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;home.nest.com.			IN	A
    
    ;; ANSWER SECTION:
    home.nest.com.		120	IN	CNAME	vhome-hme01-production-1616512027.us-east-1.elb.amazonaws.com.
    vhome-hme01-production-1616512027.us-east-1.elb.amazonaws.com. 60 IN A 54.164.247.53
    vhome-hme01-production-1616512027.us-east-1.elb.amazonaws.com. 60 IN A 34.224.19.8
    vhome-hme01-production-1616512027.us-east-1.elb.amazonaws.com. 60 IN A 52.0.100.178
    vhome-hme01-production-1616512027.us-east-1.elb.amazonaws.com. 60 IN A 34.226.173.91
    vhome-hme01-production-1616512027.us-east-1.elb.amazonaws.com. 60 IN A 52.200.50.119
    vhome-hme01-production-1616512027.us-east-1.elb.amazonaws.com. 60 IN A 52.206.12.53
    vhome-hme01-production-1616512027.us-east-1.elb.amazonaws.com. 60 IN A 34.197.4.69
    vhome-hme01-production-1616512027.us-east-1.elb.amazonaws.com. 60 IN A 54.172.40.124
    
    ;; AUTHORITY SECTION:
    us-east-1.elb.amazonaws.com. 1800 IN	NS	ns-1119.awsdns-11.org.
    us-east-1.elb.amazonaws.com. 1800 IN	NS	ns-1793.awsdns-32.co.uk.
    us-east-1.elb.amazonaws.com. 1800 IN	NS	ns-235.awsdns-29.com.
    us-east-1.elb.amazonaws.com. 1800 IN	NS	ns-934.awsdns-52.net.
    
    ;; Query time: 245 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Sun Aug 12 15:04:12 EDT 2018
    ;; MSG SIZE  rcvd: 379
    
    
    


  • @stephenw10 said in [Solved] pfBlockerNG blocked LAN access to Nest thermostat:

    home.nest.com comes back as many IPs.

    Where did you resolve it as that?

    What DNS servers are those devices using that lost access to it?

    Steve

    I pinged home.nest.com from a powershell admin window.

    • I see now that continuing to run 'ping home.nest.com' will use a new IP each time.

    I'm using 1.1.1.1 and 1.0.0.1. as secondary.


  • Netgate Administrator

    Ok, well if your devices running the app are not using 1.1.1.1/1.0.0.1 then they are probably not seeing that IP and that's why they are blocked when it doesn't appear to be in the list.

    It is slightly suspicious that whatever DNS server they are using is resolving to something in the asianv4 alias, assuming you're not in Asia.

    I would suggest finding what IP they are trying to reach and whitelisting it.

    Or setting a DNS override for that fqdn. Though that may not be possible if the app is not using local DNS for whatever reason.

    Steve



  • Didn't want to leave this thread hanging.

    To answer above:

    • I'm in the US, not Asia.
    • Confirmed that devices are using 1.1.1.1

    pfBlockerNG re-enables the rule, without my interaction, after some time. This wasn't a problem because I'd rather have it enabled.

    In the end I just permitted outbound on this rule.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy